The WAF would not do the policy enforcement on SQL level, but the database security product. The database security would signal the result to the WAF and then the WAF would either allow the request to pass or not.
Are you trying to do database loadbalancing? Or just add another device inbetween app and db?
The pros and cons of database loadbalancing are different for different database management systems and also they are defined by the application.
Only lookig at SQL databases, they are just different between Microsoft SQL, MySQL and Oracle. Some of them come with loadbalancing solutions from the vendor, others have third party vendors offering loadbalancing solutions.
Loadbalancing must be supported at the application layer too. Read operations can be loadbalanced more easily, write operations might be more difficult. Think of consistency, how are db updates synchronized in case you send writes to different SQL servers?
But also, does the application allow read operations from database servers that have not yet been synchronized with the latest write update?
If you are looking at loadbalancing NoSQL solutions, other challenges might arise.
Take a look at this article. 9 years old, still relevant:
Trying to get big ip into the middle and use some of the negative as well as positive security models if possible ? How relevant is this Daniel in context of providing better security ?
I assume you have BIG-IP AdvWAF already in front of the application, in order to prevent application layer attacks like injection attacks or well-known attack against the database management system (Attack Signatures and/or TC).
The BIG-IP WAF is a Web Application Firewall. Adding it between the app and the database will not add any value, because this is not http traffic but sql traffic. You cannot apply any security policies here.
If you have a requirement to implement a firewall that is capable to look into sql traffic and to protect databases (additional to the protection that BIG-IP offers on the application level) - there are other vendors who offer database security products.
Might be a bit late.... but maybe it can still help you. Basically you integrate AWAF with a third party DB security product which would then examine the database queries.
The WAF would not do the policy enforcement on SQL level, but the database security product. The database security would signal the result to the WAF and then the WAF would either allow the request to pass or not.
